Are you currently experiencing an attack?

Are you currently experiencing an attack?

Secure Your Cloud Software Supply Chain

In recent years, there has been a dramatic increase in the number of high-profile software supply chain attacks. Vulnerabilities like Log4Shell left engineering teams across the tech industry scrambling to patch millions of vulnerable nodes. The Orion NMS (Network Management System) suffered a serious supply-chain attack that compromised its systems and those of its customers, including the US Treasury.

The nature of modern software systems and complex dependency chains means these attacks can be very difficult to detect and protect against. This article will discuss what software supply chain attacks are, how they work, and how engineering organizations can protect their vital systems and code in the age of the cloud.

What Is the Software Supply Chain?

To understand software supply chain attacks, it’s necessary to understand exactly what the software supply chain is. The short answer: everything that goes into the building and delivery of software and applications.

The long answer is more comprehensive than the title indicates. Every logical component in development, whether it be a software library, a vendor tool, or a piece of documentation, is part of the supply chain and potentially a vector for vulnerability. While some parts of the supply chain may seem obvious, others are often overlooked:

  • Systems and infrastructure
  • People
  • Processes and procedures
  • Open-source modules and libraries
  • Container images

Even ostensibly simple software can have a lot of dependencies and moving parts in its supply chain. For example, a frontend web application built with React that uses an open-source React Router library and is deployed on AWS would have the following in its supply chain:

  • React
  • React Router
  • Webpack
  • Babel
  • ESLint
  • AWS SDK for JavaScript
  • Node runtime

Those are just the software components without their dependencies. Some NodeJS libraries contain hundreds of sub-dependencies. This list also doesn’t include infrastructure, infrastructure as code (IaC), deployment automation, or any monitoring or logging. This complexity of the modern supply chain contributes significantly to the inherent difficulty of securing it.

What About the Cloud?

Modern software and application system infrastructure is likely to be partially or completely deployed on some type of cloud platform or distributed computing platform. These come in several flavors: infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS), as well as other more niche services. Despite their differences, as cloud platforms, they all share a critical security issue: Compared to traditional infrastructure, the potential attack surface is much larger.

In most cloud platforms, security is generally split between the provider and its customers in a shared responsibility model. Good cloud security practices generally center around the concept of zero-trust principles. You should not base security on assumptions about network location or identity. Instead, all activity should be verified and authorized before any kind of access is granted. This is especially important since the attack surface of cloud infrastructure is much greater than traditional systems, as nearly every resource can be or is configured to be accessible from the public internet.

The provider is responsible for the security of the cloud platform itself and its physical infrastructure. The customer is responsible for securing the workloads that are deployed on top of it. So, to properly secure a cloud system, both the provider and the customer need to take security seriously and treat it as a shared responsibility.

Note that with the rise of Infrastructure as Code solutions like Terraform, infrastructure has become a much more deeply intertwined part of the supply chain. Defining cloud infrastructure this way is a powerful abstraction and enables standardization and scaling capabilities. (Using immutable infrastructure can also reduce the risk somewhat.) Nevertheless, infrastructure must be subject to the same security controls that are present for software as well as for systems. 

How to Secure Your Supply Chain

Organizations that develop and ship software need to consider the security of the supply chain in both directions. Upstream, they must be vigilant in vetting and protecting their systems from possible weaknesses in vendor and third-party systems. Downstream, they need to take every measure possible to ensure they aren’t part of a supply chain attack against their customers that pivoted off an unpatched vulnerability.

Start Early

A successful approach to securing your software supply chain can follow different paths, but it almost always starts early in the development process. The goal is to get actionable feedback on design and implementation decisions as soon as possible. This starts as early as the design phase; ideally, developers, security engineers, and DevOps engineers collaborate on integrating DevSecOps outcomes into the entire development lifecycle.

Automate Low-hanging Fruit

Once development begins, implementing security automation on the left side of the software development life cycle (SDLC) will help identify common issues that have the potential to manifest as an attack vector in a supply chain attack. Modern development environments, particularly those focused on creating cloud-based applications, are likely to be exposed to one or all of these potential vectors:

There are several paid and open-source solutions that give engineering teams the ability to monitor Docker images and software dependencies for vulnerabilities; they can also scan their repositories for the possible exposure of sensitive data. Private image and module repositories are some of the best mitigations for these types of vulnerabilities. 

Each of the major cloud platforms provides managed container image and software library repositories. Engineering teams can proxy the public repositories while maintaining a far more comprehensive policy around allowed versions, access, and security scanning. Insecure or compromised packages can be added to deny lists, preventing them from being integrated into software deployments. Private source code repositories are also helpful, although with services like GitHub, they aren’t necessarily “private.”

What to Look For in Solutions

Engineering teams looking for all-in-one solutions for handling left-hand security automation should look for the following features:

  • Single pane of glass: The ability to quickly ascertain your security posture across a variety of systems and applications is critical to security ops.
  • Nested dependencies: A single software module dependency can very quickly turn into many software module dependencies. Good tooling provides data on these nested dependencies.
  • License evaluation: Open-source licenses can have surprising legal implications when used unknowingly in commercial products. Some tools provide the ability to highlight these issues in software libraries.
  • Scanning for credentials and other secrets: Sensitive values in source code can be incredibly damaging; thankfully they are relatively easy to catch (with automation!). This is a must-have feature in modern cloud environments: an important part of the broader requirement to keep secrets secure in the cloud.

Educate Development Teams

Good security is an ongoing, iterative process that requires everyone to commit to using good, secure development practices. The best way to learn is by doing, but providing additional education materials and training will help get engineers engaged with this vitally important objective. 

The United States CISA has issued guidance on securing a software supply chain; scheduling time with development teams to review or discuss the implementation of some of the suggested practices can be a good exercise in building shared responsibility for security.

Garbage In, Garbage Out: The Importance of Supply Chain Security

The software supply chain can act as the proverbial “Trojan Horse” for a software engineering organization. Even with investments in expensive, state-of-the-art production alerting and security detection systems, a back-door vulnerability through a third-party library or vendor system can allow your security measures to be bypassed, and expose your customers to a significant security risk.

Organizations that invest in supply-chain security will reap the dividends of a proactive, automated security posture, as it will make it far more difficult for adversaries to exploit vulnerabilities in-depth and undetected. This is an important, if often overlooked, aspect of the comprehensive web security posture that’s necessary on today’s Internet.

Get your price quote

Fill out your email below, and we will send you a price quote tailored to your needs

This website uses cookies to ensure you get the best experience on our website.